ClusterControl comes with an advanced user management system, managed by ClusterControl Controller (cmon) service. Every operation initiated by ClusterControl clients (GUI or CLI) is associated with a user. A user must be authenticated with the controller service before performing any operation.
ClusterControl supports private/public key and password authentication. All users’ activities are logged and accessible via the Audit Log, available under the Activity center section. A user can be disabled or enabled by anyone in the admins group.
Create user or team
Opens a dialog to create a user or a team. From here you may choose to Create user or Create team.
Create user
To create a user, fill up all the following information:
| Field |
Description |
| Details |
| First name |
- The first name of the user.
|
| Last name |
- The last name of the user.
|
| Username |
- The username of the user.
|
| Password |
|
| Email |
- Email address of the user. This must be a valid email address, for password reset and email notifications.
|
| Timezone |
- Choose a timezone from the dropdown list. This timezone will reflect the date/time presentation of the ClusterControl events and monitoring data points.
|
| Team |
| Team |
- Choose a team from the dropdown. This is considered the primary group for this user. A user can be assigned to multiple groups (teams). See Create Team.
|
Note
The username “admin” is reserved for ClusterControl internal usage. It is a system user and is not intended to be used by anyone.
See also
You can also create a ClusterControl user by using the command-line interface (CLI). See s9s-user.
Create team
Teams group users. Each team may consist of zero or more users. A single user may be a part of one team. Teams may be assigned to zero or more clusters.
When creating a team, the primary team where the user who creates it belongs, will be the team owner. Only the team owner is allowed to delete or modify the team. Only the owner’s team is allowed to delete the cluster. All clusters created by a specific user also belong to the same team.
To create a team, fill up the following information:
| Field |
Description |
| Details |
| Team name |
|
| Users |
| Users |
- The username of the user.
|
| Password |
- Select one or more users from the list. You can always add users later.
|
| Permissions |
| Change controller configuration |
- Toggle ON to allow users on this team to change all cluster configurations of this controller.
|
| Change LDAP settings |
- Toggle ON to allow users to change LDAP settings under the User Management page.
|
| Manage users and teams |
- Toggle ON to allow users to create, edit, and delete ClusterControl users and teams.
|
| Deploy clusters |
- Toggle ON to allow users to deploy a new cluster or import an existing cluster into ClusterControl.
|
| Clusters permission level |
- Pick one of the permissions for all clusters. This permission can be adjusted later for every cluster. If you want to have fine-grained permission per cluster, choose Custom. See Cluster-Level Permissions.
|
Note
By default ClusterControl creates two teams: “admins” and “users”. There is also a hidden team for internal usage called “nobody”.
See also
You can also create a ClusterControl group by using the command-line interface (CLI). See s9s-user.
Cluster-Level Permissions
ClusterControl uses access control to restrict access to clusters and their respective deployment, management, and monitoring features. Access control defines privileges and permissions for a specific team. This ensures that only authorized user requests are allowed.
There are 3 types of access levels for clusters:
| Permission |
Description |
| Manage |
- Allows viewing the cluster and its properties such as jobs, backups, charts, metrics, and settings of the cluster. It also allows changing the settings of the cluster and managing (clone, create, delete, abort ) jobs on the specific cluster.
- It does not allow the creation or deletion of the cluster, which is only permissible to the team’s owner.
|
| View |
- Allows viewing the cluster and its properties such as jobs, backups, charts, metrics, and settings of the cluster.
- The user can not modify the cluster.
|
| No access |
- Access to the resource is denied.
|
| Custom |
- Allows specific permission levels for each cluster.
|
LDAP
ClusterControl supports integration with directory services like Active Directory, FreeIPA, and OpenLDAP authentication. This allows users to log into ClusterControl by using their corporate credentials instead of a separate password. LDAP groups can be mapped onto ClusterControl user groups to apply privileges to the entire group. This would ensure that ClusterControl authorizes the logged-in user based on the group assigned. It supports up to the LDAPv3 protocol based on RFC2307.
To integrate with a directory service, one has to perform the following steps:
- Fill up the LDAP Settings configuration wizard.
- Save the settings. At this point, LDAP is saved but not activated because no group mapping has been created yet.
- Create at least one group mapping entry by going to Map LDAP Group.
- Enable the LDAP authentication by toggling ON the LDAP Settings → Enable LDAP Authentication.
- Log in to ClusterControl by using the value of Username Attributes with the respective password. The user will be authenticated and redirected to the ClusterControl dashboard page based on the assigned group.
- From this point, both ClusterControl and LDAP authentications would work.
The last entry of the group mapping can not be deleted while LDAP authentication is enabled and activated. To delete the last entry, set Enable LDAP Authentication to OFF and you will notice the Remove Group button is no longer greyed out, allowing you to remove the last group mapping entry.
LDAP Settings
| Field |
Description |
| General Settings |
| Enable LDAP Authentication |
- Enables LDAP authentication. The native authentication in ClusterControl will also work. Please refer to the steps mentioned above, on enabling LDAP authentication.
|
| LDAP/LDAPS URI |
- Enter the LDAP or LDAPS Uniform Resource Identifier (URI), with the port number (if applicable). An example is
ldaps://ad.s9s.com:636.
- For LDAPS, you also need to provide the certificates and key files under SSL/TLS Settings section.
|
| Login DN |
- The Distinguished Name is used to bind the LDAP server. This user requires read access to all LDAP users and group entries to work correctly.
- ClusterControl must perform an LDAP search using the DN before any user can log in. This field is case-sensitive. An example is
cn=Administrator,cn=Users,dc=s9s,dc=com.
|
| Login DN Password |
- The password for Login DN.
|
| User Base DN |
- The Distinguished Name (DN) to locate the users’ information. This field is case-sensitive. An example is
cn=Users,dc=s9s,dc=com.
|
| Group Base DN |
- The Distinguished Name (DN) to locate the group information.
- ClusterControl does not support LDAP users that do not belong to at least one LDAP group. An example is
ou=Groups,dc=s9s,dc=com.
|
| Advanced Settings |
| User Base Filter |
- Filter the object class of the LDAP users. If empty, all object classes will be returned.
|
| Username Attributes |
- The LDAP attributes which hold the username, separated by a comma (whitespace value is not allowed).
- For Active Directory, this is commonly
sAMAccountName and uid for OpenLDAP.
- If more than one attribute is specified, ClusterControl will attempt to look up all of them with the first non-empty reply (in the particular order) used for the login username.
|
| Real Name Attributes |
- The LDAP attributes which hold the full name of the user, separated by a comma.
- For Active Directory, this is commonly
displayName and cn for OpenLDAP.
- If more than one attribute is specified, ClusterControl will attempt to look up all of them with the first non-empty reply (in the particular order) used for the user’s full name.
|
| Email Attributes |
- The LDAP attributes which hold the email address of the user, separated by a comma.
- For Active Directory, this is commonly
userPrincipalName and mail for OpenLDAP.
- If more than one attribute is specified, ClusterControl will attempt to look up all of them with the first non-empty reply (in the particular order) used for the user’s email address.
|
| Group Base Filter |
- Filter the object class for the LDAP groups. If empty, all object classes will be returned.
|
| Static Member Attributes |
- The LDAP attributes which represent the group’s members, separated by a comma.
- For Active Directory, this is commonly
member. For OpenLDAP, posixGroup uses memberUid, while groupOfNames uses member.
- These attributes will be used to create combinations with the value of Group Mapping Attributes when querying the LDAP server to retrieve the group’s information.
|
| Group Mapping Attributes |
- The LDAP attributes of which name holds the group membership, separated by a comma.
- For Active Directory, this is commonly
dn and uid for OpenLDAP.
- The value of these attributes will be used to create combinations with Static Member Attributes to query the LDAP server to retrieve the group.
|
| Group Name Attributes |
- The LDAP attribute where the name represents the group’s name. This is commonly
cn.
- The value of this attribute will be used in the group mapping with “ClusterControl’s Team” for authorization purposes.
|
| Network Timeout |
- The connection timeout in seconds if the LDAP server is unreachable or takes too long to respond.
|
| Protocol Version |
- The current LDAP protocol version is used.
|
| Time Limit |
- The limit in seconds for an LDAP query to finish, any query that takes longer will be aborted.
|
| SSL/TLS Settings |
| CA Cert File |
- Only if you specify
ldaps:// in the LDAP URI. This is the location of the CA certificate file on the ClusterControl host.
|
| Certificate File |
- Only if you specify
ldaps:// in the LDAP URI. This is the location of the certificate file on the ClusterControl host.
|
| Key File |
- Only if you specify
ldaps:// in the LDAP URI. This is the location of the key file on the ClusterControl host.
|
Map LDAP Group
ClusterControl requires at least one LDAP group mapping entry to be defined before the LDAP authentication can be activated. Otherwise, ClusterControl would only save the LDAP settings without activating them.
To create a group mapping, click on the Map LDAP Group button. Pick an existing team from the dropdown and specify the value of the LDAP’s Group Name Attributes that you want to be mapped with the ClusterControl team. After creating the first entry, you may proceed to activate the LDAP authentication by going to LDAP Settings → Enable LDAP Authentication.
All LDAP configurations and mappings will be stored inside this configuration file, /etc/cmon-ldap.cnf. It is recommended to configure LDAP settings and group mappings via the ClusterControl UI because any changes to this file will require a reload to the controller process, which is triggered automatically when configuring LDAP via the UI. You may also make direct modifications to the file, however, you have to reload the cmon service manually by using the systemctl restart cmon command, or service cmon restart.
| Field |
Description |
| Map LDAP Group |
- Opens a pop-up to configure the group mappings.
- Choose an existing team from the ClusterControl team dropdown and map it with the LDAP group:
- For single-tier RDN, just specify the attribute value for example “DBA”. ClusterControl will prepend the Group name attribute configured under the LDAP Settings with the value specified, and append it with the Group base DN value under the LDAP Settings. The final constructed DN will be
{Group name attribute}={value specified},{Group base DN}.
- For multi-tier RDNs, specify the attribute name and value (for multiple RDNs, delimited by a comma) for example “cn=DBA,cn=IT,ou=org1”. ClusterControl will append the value specified with the Group base DN value under the LDAP Settings. The final constructed DN will be
{value specified},{Group base DN}.
|
| Delete |
- Removes the corresponding group mapping entry.
- The last entry of the group mapping can not be deleted while LDAP authentication is enabled and activated. To delete the last entry, set Enable LDAP Authentication to OFF and you will notice the Remove Group button is no longer greyed out, allowing you to remove the last group mapping entry.
|
| Edit |
- Edit an existing group mapping entry.
- Choose an existing team from the ClusterControl team dropdown and map it with the LDAP group:
- For single-tier RDN, just specify the attribute value for example “DBA”. ClusterControl will prepend the Group name attribute configured under the LDAP Settings with the value specified, and append it with the Group base DN value under the LDAP Settings. The final constructed DN will be
{Group name attribute}={value specified},{Group base DN}.
- For multi-tier RDNs, specify the attribute name and value (for multiple RDNs, delimited by a comma) for example “cn=DBA,cn=IT,ou=org1”. ClusterControl will append the value specified with the Group base DN value under the LDAP Settings. The final constructed DN will be
{value specified},{Group base DN}.
|